2
Intel Confidential 2 Welcome This step-by-step training guide is intended to get you familiar with managing Intel ® vPro™ systems with Microsoft* System Center Configuration Manager 2007 Service Pack 2 (SCCM 2007 SP2) Please use this guide to do lab exercises in the virtual “training environment” assigned to you NOTE: This training guide is an updated version of the previously released SP1. Please refer to SP1 training guide if your environment has not been updated to SP2.

15
Intel Confidential 15 What is Intel ® vPro™ Provisioning? Provisioning is the process by which an Intel ® vPro™ System is configured with the appropriate parameters to… allow it to become manageable & operational within an IT environment This process is sometimes referred to as Setup & Configuration Provisioning sets parameters in the Manageability Engine (ME) Example parameters: Administrator credentials AMT Host Name Networking details (DHCP,VLAN, etc.) Microsoft refers to the Manageability Engine as the Management Controller

16
Intel Confidential 16 Intel ® vPro™ Manageability Engine BIOS Extension (MEBx) The MEBx is the user interface to the Manageability Engine (ME); it allows for the configuration of settings that control the operation of the ME The MEBx is an option ROM module provided to the OEM by Intel that is an extension to the system BIOS The Manageability Engine runs on an embedded processor inside the Memory Controller Hub (MCH) and is responsible for executing the various AMT functions (Remote Power, IDE-Redirection, etc.)

17
Intel Confidential 17 Start up the Intel ® vPro™ Laptop (e.g. LNVT400-01) During boot process, press the Blue ThinkVantage button to access the MEBx interface (other OEM systems you hit CTRL+P to access the MEBx) Select F12 at the Startup Interrupt Menu Select Type to login to the MEBx (admin is default when shipped from OEM but has been modified for this training) Select Intel AMT Configuration and Enter Select Un-Provision and Enter Enter Y to Reset AMT Provisioning Select Full Unprovision and Enter After the Unprovision is complete, hit the ESC key and Select Exit Enter Y to reboot the system Access the MEBx on your vPro system and perform a full unprovision of AMT Note: This will Fully unprovision the MEBx and set it back to factory default mode with the exception of the local MEBx password. This is the manual method to unprovision AMT but is not usually required in the production environment as it can be done remotely.

19
Intel Confidential 19 Agent Based Provisioning and Infrastructure Services 1.Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will create a One Time Password and send the OTP to both the OOB Service and into the Intel ® AMT Firmware 2.OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication 3.OOB Service Point sets the Remote Admin and Intel ® MEBX password (if not changed) 4.OOB Service Point requests a web server certificate on behalf of the Intel AMT client 5.OOB Service Point created an Object in AD for the Intel ® vPro™ Client 6.OOB Service Point pushes web server certificate to Intel AMT client 7.OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision

21
Intel Confidential 21  On your Internet Browser, enter the URL https://connect.eil-infra.com  You will be taken to the Logon screen as shown to the right. Please enter Username and Password provided to you.  On the next screen, you will be provided with web application choices. Please choose ‘Hands-On Training ’ option for this training session  Accept the security alert pop ups that will follow (note: some of these security alerts will be removed in a future release) Login to the Lab – Step 1

22
Intel Confidential 22  Upon successful authentication you will be directed to the ConfigMgr Training Cube with tow images as shown. The one named DC1 represents root domain Controller (with DNS/DHCP etc.), and the one named SCCMSP2 has ConfigMgr.  Click on Connect to open DC1 virtual machine which is needed for subsequent steps.  1st time, when you access virtual machine console, VMWare Lab Manager will install ActiveX plug-in. Click on “Click here to install the following ActiveX control:’vmware-mks.cab’ from ‘VMWare Inc.’” message, and click on “Install” popup window and wait for install to complete. Accessing SCCM Console (needed to execute next few steps)

30
Intel Confidential 30  In the Active Directory Users and Computers, right-click the ConfigMgr Primary Site Servers Group and select Properties  In the ConfigMgr Primary Site Servers Properties window, select the Members tab and click Add  Add the MSSCCM server and click OK (make sure to click the Object Types button and check Computers to find SCCM Computer Account)  Click OK to close the Properties window Note: Your ConfigMgr server is now a member of your ConfigMgr Primary Site Servers Group and will be used later for applying security rights to AD OUs and Certificate Templates. Make sure you have not started up the ConfigMgr server image while setting up this server security setting. If you have the ConfigMgr server running, please shutdown now. Add ConfigMgr 2007 SP2 Server as a member to the Security Group

32
Intel Confidential 32  Right-click Out of Band Management Controllers OU and click Properties  In the Out of Band Management Controllers Properties window, click the Security tab  Click Add and select the ConfigMgr Primary Site Servers group  Click OK to add the group, but DO NOT close the Properties window…continue to next slide to set full control for this group. Add ConfigMrg Primary Site Servers Security group to the Management Controller OU

33
Intel Confidential 33  Check Full Control for ConfigMgr Primary Site Servers Security Group  With ConfigMgr Primary Site Servers selected, click Advanced  Highlight ConfigMgr Primary Site Servers group, and click Edit  In the Apply to drop down, select This object and all descendant objects  Click OK 3 times Give Full Control for ConfigMrg Primary Site Servers Security group to the Management Controllers OU Note: We have now created an AD OU and given the ConfigMgr 2007 SP2 proper permission to create AMT objects for each vPro system during the provisioning phase.

34
Intel Confidential 34  On your Infrastructure Image, Click Start > Programs > Administrator Tools > Active Directory Users and Computers  Expand vProDemo.com and Right Click on Users and select New > Group  In the New Object – Group Windows, enter AMT RADIUS Clients in the Group name field  Click OK Create RADIUS Security Group for AMT devices

35
Intel Confidential 35  Right Click on AMT RADIUS Clients Group and select Properties  In the AMT RADIUS Clients Properties Window, Click the Security Tab and Click the Add button  In the Select Users, Computers, or Groups Window, add ConfigMgr Primary Site Servers  Click OK  Select the ConfigMgr Primary Site Servers and select Full control  Click OK Set Permissions on RADIUS Security Group COMPLETED: We have now created an AD OU, AMT Radius Group, and given the Security Group that ConfigMgr 2007 SP2 Server is a member of, the proper permission to create Management Controllers objects for each Intel ® vPro™ system during the provisioning phase.

37
Intel Confidential 37 Closer look at Certificates with ConfigMgr 2007 SP2 and Intel® vPro™ There are three types of Certificates that are used in association to Intel vPro client provisioning and management within ConfigMgr 2007 SP2 Intel ® AMT Self Signed Certificate Used during PKI provisioning to secure the connection Transparent to process Intel ® AMT Provisioning Certificate Used for Remote Configuration authentication by the Out of Band Service Point Can be generated from Internal PKI Infrastructure or purchased from 3 rd Party CA (VeriSign*, GoDaddy*, Comodo, Starfield) Provisioning certificate can be generated from internal PKI environment Require Internal Root hash to be imported into the MEBx Requires Option 15 set on DHCP to support “Zero Touch” Configuration Intel ® AMT Web Server Certificate Used to secure a connection to Intel AMT client by the management console Issued to the Intel AMT client during the provisioning process ConfigMgr 2007 SP2 requires the certificate to be issued by a Microsoft Enterprise CA PKI certificate key sizes <=2048-bits

43
Intel Confidential 43  In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand window and ready for use by the Out of Band Service Point Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel ® AMT system during the provisioning process and used for TLS session during management of Intel AMT. Web Server Certificate Template issued in CA for use by ConfigMgr 2007 SP2

48
Intel Confidential 48  In the Certification Authority Window > Certificate Templates, you will now see ConfigMgr AMT 802.1X Client Authentication Certificate listed in the right hand window and ready for use by the Out of Band Service Point Note: This Certificate Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel ® AMT system and stored in the firmware during the provisioning process and allow vPro systems to authenticate to an 802.1x network while OS is in a sleep/off state. RADIUS Client Certificate Template issued in CA for use by ConfigMgr 2007 SP2

50
Intel Confidential 50  Add the ConfigMgr Primary Site Servers group  Click OK  Select the ConfigMgr Primary Site Servers group  Check Allow Issue and Manage Certificates and Request Certificates permissions for this group  Click OK Note: This setting is required when you are performing actions like an unprovision of the Management Controller. This will keep your PKI Issued certificates cleaned up (revoked). Configure Root CA to Allow Revocation of Client Management Controller Certificates

56
Intel Confidential 56  Open the ConfigMgr Console (short- cut located on the desktop of the SCCM image)  Navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings > Site Systems  Right-click \\MSSCCM and click New Roles to launch the New Site Roles Wizard Install Out of Band Service Point

57
Intel Confidential 57  On the General page, click Next (default settings) Install Out of Band Service Point

58
Intel Confidential 58  On the System Role Selection page, check Out of band service point, and click Next Install Out of Band Service Point

59
Intel Confidential 59  On the Out of Band Service Point page, click Next  Click Next again on Summary page Install Out of Band Service Point

60
Intel Confidential 60  Once the Wizard completes, click Close You have now added the required Service Role to support Intel ® vPro™ Systems through ConfigMgr 2007 SP2. Install Out of Band Service Point

61
Intel Confidential 61  You will now see ConfigMgr out of band service point listed under the \\MSSCCM Roles Note: After installing the ConfigMgr 2007 SP2 Out of Band Service Point, the log file C:\Program Files\Microsoft Configuration Manager\Logs\AMTSPSetup.Log can be reviewed to inspect the success or failure of the installation. Install Out of Band Service Point

63
Intel Confidential 63  In the Out of Band Management Properties window on the General tab, Under the Provisioning Settings, click Browse to select the Active Directory container to store each Intel ® AMT object Note: These fields may already be populated with the correct information from past lab exercises – use this screen as a reference if that is the case.  Select Out of Band Management Controllers from vProDemo Domain Note: This is the OU created in Exercise 1  Click OK Configure Out of Band Component - General

64
Intel Confidential 64  Click Set and provide the Intel ® MEBX admin password (please us for this exercise) to be set during provisioning  Click OK Note 1: This Intel MEBX password setting is used for ConfigMgr 2007 SP2 to change the local password on the Management Controller during the provisioning process. By default, the factory setting for the password is admin. If this local password was manually changed on the Intel MEBX or from a previous provisioning process, this setting will be ignored. The local Intel MEBX password can only be changed remotely if the password is set to factory default (admin). Configure Out of Band Component - General Note 1

65
Intel Confidential 65  Check the box to Allow out of band provisioning Note 1: Out of Band provisioning provides alternative methods to provision devices without an OS or SCCM Client. The preferred method is to use inband SCCM agent based provisioning shown in later modules. Intel ® AMT Provisioning port can be modified if necessary, but requires modification (physical touch) on each Management Controller (leave default 9971).  Click Yes in the Security Warning to Allow for Out of Band Provisioning. Note: OOB Provisioning is not required if you are going to leverage inband SCCM Agent based provisioning (preferred method). This option is for scenarios like bare metal provisioning when no host OS or SCCM client agent is available. Configure Out of Band Component - General Note 1

66
Intel Confidential 66  Check the box to Register ProvisionServer as an alias in DNS Note: This creates an Alias in your DNS environment to allow provisioning hello packets from AMT to get routed to the ConfigMgr 2007 SP2 server used in PSK / Bare Metal Provisioning and SCS -> ConfigMgr 2007 SP2 migration. This would not apply or be necessary for in-band ConfigMgr 2007 SP2 Agent initiated Provisioning. Configure Out of Band Component - General

67
Intel Confidential 67  Under the Certificates section, Click Browse and select the Intel(R) Client Setup Cert – GoDaddy vProDemo.com and vProDemo.us UCC Backup.pfx (located in z:\GoDaddy_vProDemo)  Click Open Note: This is the Remote Configuration Certificate (previously purchased from GoDaddy* which could also be purchased from VeriSign*, Comodo, or Starfield) and used for Remote Provisioning. The Root hash that issued this certificate can be found pre-configured in the Management Controller’s firmware that ships from the OEM.  Enter the password for this certificate (Pr0t3ct!0n) and click OK Note: Zeros are used in the above password Note: If the password is incorrect, you will receive and Invalid Password message. If the certificate is not a valid Remote Configuration Certificate, you will receive an Invalid Certificate message. Configure Out of Band Component - General

69
Intel Confidential 69  On the AMT Settings tab, click icon to add AMT User Accounts  In the AMT User Account Setting window, click Browse and add the VPRODEMO\AMTAdmins account, click OK  Check the Platform Administration box which will automatically select all options by default  Click OK  Click Apply Note: This account specifies the rights to the management controller for selected capabilities to Intel ® AMT. us/library/cc aspx us/library/cc aspx Configure Out of Band Component – Intel ® AMT Settings Note: These fields may already be populated with the correct information from past lab exercises – use this screen as a reference if that is the case.

70
Intel Confidential 70  In the Default IDE-redirect image text box, enter \\DC1\IDER\rds_rw.iso  In the drop down menu for Manageability is on in the following power states: select Always on (S0-S5) Note: This setting will ensure the Management Controller is on regardless of the state of the Operating System (on, sleep, hibernate, off)  Check the boxes:  Enable Web interface  Enable serial over LAN and IDE-redirect  Allow ping responses  Enable BIOS password bypass for power on and restart commands  Enable Support for Intel WS-MAN Translator (covered in Legacy Provisioning Class)  Default setting for Kerberos clock tolerance (5)  Click Apply Configure Out of Band Component – Intel ® AMT Settings

72
Intel Confidential 72 Configure Out of Band Component – Audit Settings  On the Audit Settings Tab, check All of the AMT features to enable auditing  Click APPLY Note: To unprovision a system from the MEBx you have to disable audit log first. Select the audit settings that are applicable to your production environment.

73
Intel Confidential 73 Configure Out of Band Component – Provisioning Schedule Settings  On the Provisioning Schedule Tab, change the Simple Schedule to 1 hour  Click OK Note: By default, Intel AMT systems will attempt to initiate in-band provisioning every 24 hours. This default option is modified by these settings so the provisioning will occur on a more frequent basis. Another Option is to use the Custom Schedule so you can configure a start date and time with a reoccurrence pattern.

74
Intel Confidential 74 Lab Module 2.1 Lab Module 2.1 Advanced Out of Band Configuration The following 2.1 module is an advanced topic on 802.1x and Wireless Profiles

75
Intel Confidential x and Wireless Profiles This section is for advanced vPro users that are familiar with 802.1x networking and RADIUS server for authentication –Wireless AP = Linksys Dual-Band Wireless N Gigabit router that supports 802.1x –There are many options available for wireless and 802.1x profiles and this training will only cover one set (refer to Microsoft TechNet for complete list of supported protocols) –The RADIUS Server (Microsoft NPS – Windows 2008 Server) has been Pre-Configured for training How to: Requirements:

76
Intel Confidential 76  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site> Site Settings > Component Configuration  Right-click Out of band management component, and click Properties  On the 802.1x and Wireless Settings Tab, check the box for Enable 802.1x authentication for wired network and click Set Note: This setting will provision the vPro system with proper 802.1x credentials in order for the device to authenticate to a protected 802.1x network. The RADIUS server is pre-configured for this lab and steps to setup this RADIUS server is out of scope for this training module. Configure Out of Band Component – 802.1x Settings

77
Intel Confidential 77  In the 802.1x Wired Network Access Control window, click the Select button  In the Trusted Root Certificate for Radius authentication window, select the radio button for From certificate authority (CA): and select DC1.vprodemo.com from the drop down menu  Click OK Note: This certificate is the root certificate from the Enterprise CA on the infrastructure image to communicate with the Radius server. The Radius server is pre-configured on the infrastructure server for training purposes. Configure Out of Band Component – 802.1x Settings

81
Intel Confidential 81  In the Security Group for RADIUS authentication section, select the radio button for Automatically add AMT-based computers to security group  Click the Browse button to choose a Security group for RADIUS Server  In the Select Group window, add AMT RADIUS Clients  Click OK – 2 times Note: This completes the configuration for the 802.1x and Wireless profile setting. Configure Out of Band Component – Wireless Settings

85
Intel Confidential 85 Lab 2 Exercise Review Configured Provisioning Settings Tab Add Provisioning and Discovery Accounts Allows you to define additional Digest accounts that can be used to provision and discover AMT systems if the standard default account has been modified Configured 802.1X and Wireless Tab Created wired and wireless profiles to be added to AMT during the provisioning process to allow AMT to authenticate to an 802.1x protected network Automatically added AMT devices to a security group for RADIUS authentication Configured Audit Settings Tab Enabled the features to be audited by AMT Configured Provisioning Schedule Tab Specified a specific schedule for AMT systems to initiate provisioning Configured Site Boundary for Agent discovery

87
Intel Confidential 87 ConfigMgr 2007 SP2 Agent Installation and InBand Provisioning In this exercise, you will –Install the ConfigMgr 2007 SP2 Client Agent on an Intel ® vPro™ system (e.g. Intel vPro Laptop/Desktop) –Create an Unprovisioned vPro Client Collection to place discovered Unprovisioned systems and enable the auto- provisioning policy on this collection –Initiate an InBand remote configuration provisioning of an Intel vPro system with native ConfigMgr 2007 SP2 support –NOTE: Bare Metal / Out-of-Band provisioning (No OS or SCCM Client) is supported but not covered in this training) – for information on this process see: SCCM Out of Band Provisioning (Bare Metal Provisioning)SCCM Out of Band Provisioning (Bare Metal Provisioning)

88
Intel Confidential 88 Agent Based Provisioning Process 1.Based on policy, the Configuration Manager Agent will assess if the Client can be provisioned,. If I can, it will create a One Time Password and send the OTP to both the OOB Service and into the Intel ® AMT Firmware 2.OOB Service Point secures connection with the Intel AMT client through Embedded AMT Self Sign Certificate, Present Provisioning Certificate along with the OTP for initial Authentication 3.OOB Service Point sets et Remote Admin and Intel ® MEBX password (if not changed) 4.OOB Service Point requests a web server certificate on behalf of the Intel AMT client 5.OOB Service Point created an Object in AD for the Intel ® vPro™ Client 6.OOB Service Point pushes web server certificate to Intel AMT client 7.OOB Service Point pushes ACL, power schema, and other configuration data to Intel AMT to finalize provision

89
Intel Confidential 89  Login to the Intel ® vPro™ Laptop  User: ITproadmin  Password:  Domain: VPRODEMO  Once logged into the Intel ® vPro™ client, map a drive to \\mssccm\c$  Go to Program Files\Microsoft Configuration Manager\Client  In the Client folder, double click ccmsetup.exe Note: This will install the SCCM SP2 client from you SCCM Site server. This Intel vPro system must be joined to the infrastructure domain – Prior to the client setup. Install ConfigMgr 2007 SP2 Client Agent on local system

90
Intel Confidential 90  Track the setup by monitoring the Process ccmsetup.exe in Task Manager  Installation is complete once the CcmExec.exe process is running in Task Manager  You can track the agent installation on the client in c:\windows\system32\ccmsetup\ccm setup.log (for Vista 64bit file is located in c:\windows\SysWOW64\CCM) Note: Once the installation is complete, you will see CcmExec Service running in Task Manager. A reboot of the vPro system will help speed up the SCCM agent to check in with the Site Server. Monitor ConfigMgr 2007 SP2 Client Agent Install

91
Intel Confidential 91  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections  Right Click on All System and select Update Collection Membership  After a few moments, right click All Systems and select Refresh Note: You will see the client system in All Systems that you installed the SCCM Client. You will also see a Yes in the Client Column and listed as Approved. This integration into ConfigMgr happens after the SCCM Client has been installed and checked in with the site server. This may take several minutes. Do not proceed until this client shows up in SCCM. SCCM Agent discovered in ConfigMgr

93
Intel Confidential 93 Collection Configuration In this exercise, you will –Create an Intel ® AMT Collection to group Intel AMT systems that are AMT Capable and unprovisioned –Configure an Intel AMT Collection to automatically provision Out of Band Management Controllers

98
Intel Confidential 98  In the Query Statement textbox,  type: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.Reso urceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.S MSUniqueIdentifier,SMS_R_SYSTEM.ResourceDom ainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AMT_AGENT on SMS_G_System_AMT_AGENT.ResourceID = SMS_R_System.ResourceId where SMS_G_System_AMT_AGENT.AMT >= "0" and (SMS_R_System.AMTStatus != "3" or SMS_R_System.AMTStatus is NULL) Note: This query statement can be found in a text file under w:\SCCM New Hardware Inventory Query.txt. This will pull all the clients into this collection that are discovered Intel ® vPro™ capable and not provisioned. Note: Additionally you can setup up a collection for Provisioned Clients, in the Query Statement textbox, you will use: Select * from SMS_R_System where AMTStatus=3 This will show ALL vPro systems that have been provisioned.  Click OK and OK again on the Query Rule Properties Window  In the Membership Rules window, click Next Add AMTStatus check to Query Statement

102
Intel Confidential 102  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > Unprovisioned vPro Clients  Click the Unprovisioned vPro Clients collection, right click in the right hand window, and select View > Add/Remove Columns  In the Add/Remove Columns window, add AMT Status and AMT Version to the Displayed columns and move these fields below the Name field for easy viewing  Click OK Note: Perform these same steps for the All Systems collection. This will allow you to see Intel AMT related information in the collection. Add Intel ® AMT Display Columns to the collection DON’T THINK WE NEED THIS STEP WITH NEW QUERY

103
Intel Confidential 103 To allow ConfigMgr 2007 SP2 to use AMT Power On commands with advertisements, Wake On LAN for the site needs to be Enabled  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site  Right click on PRO – vPro Demo Primary Site server and select Properties  Select the Wake on LAN tab  Check the Enable Wake on LAN for this site  Select Use power on commands only  Click OK Configure Site Parameters to Use Secure Remote Power Control Note: This will allow ConfigMgr 2007 SP2 to wake-up Intel ® AMT enabled systems with secure and authenticated wake-up methods in Intel AMT for scheduled activities.

104
Intel Confidential 104  On the Intel ® vPro™ System, open the Control Panel  After the Agent installation is complete, you will see a Configuration Manager Icon under System and Security Note: It may be helpful to reboot the client at this time  Double Click the Configuration Manager Icon  Select the Actions Tab Note: On Vista 64bit OS, you will find the Configuration Manager Icon under View 32-bit Control Panel Items Icon In the Control Panel Initiate Action on the ConfigMgr 2007 SP2 Client Agent

105
Intel Confidential 105  Click on Machine Policy Retrieval & Evaluation Cycle and click Initiate Action button  Click OK in the window indicating the action has been initiated Note: This process will speed up the provisioning cycle rather than waiting for the schedule event to occur as you would do in a production environment. You may need to initiate the Machine Policy action more than once to start the provisioning process immediately. Note: You can track the progress by monitoring the logs directory c:\windows\system32\CCM\Logs (on Vista 64bit OS, the logs folder is located under c:\windows\SysWOW64\CCM\Logs) OOBMGMT.log will track the progress of the auto provisioning of AMT. You should see a log entry stating “Successfully activated the device.” This indicates the SCCM agent has initiated the provisioning process PolicyAgent.log will track all of the policies pulled down by the agent from ConfigMgr 2007 SP2 server. Refer to the SendSched Utility in the Appendix to launch the provisioning immediately (click here)click here Initiate Action on the ConfigMgr 2007 SP2 Client Agent

106
Intel Confidential 106  After a few minutes, provisioning will automatically complete and you can update your collection membership  Right Click Collections and select Update Collection Membership  Click Yes to confirm that you want to proceed  Right click on All Systems collection and select Refresh  The client will now appear in All Systems Collection as Provisioned and no longer be listed in the Unprovisioned vPro Clients collection Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log This process length depends on the time it takes for ConfigMgr 2007 SP2 Agent to check in with the Server and pull down its policies. Provision AMT via In- Band ConfigMgr 2007 SP2 Client Agent Congratulations! You have just successfully completed InBand provisioning in ConfigMgr 2007 SP2 and enabled Intel ® vPro™ systems to be manageable out of band by ConfigMgr 2007 SP2 console.

107
Intel Confidential 107 Lab Module 3 Review Installed the SCCM Client Agent on the Intel vPro system Created Intel ® AMT Unprovisioned Collection Modify Membership Rules for the Unprovisioned Collection Added AMT Hardware Inventory check to Query Statement Enabled Automatic OOB provisioning on the Collection Added Intel AMT Display Columns to the collections Configured Site Parameters to Use Secure Remote Power Control (used in Real World Use Cases module) Initiated an InBand agent based provisioning Updated Collections to see Provisioned AMT System

111
Intel Confidential 111  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems  Right click on a Provisioned System  Select Out of Band Management > Out of Band Management Console Note: This will launch the OOB Management console that allows you to perform all of the OOB management capabilities in ConfigMgr 2007 SP2. You can also perform Power Control, Update / Delete Data in the Management Controller, Enable/Disable/Clear Audit Log without opening the OOB Management Console. Update = Reprovisioning OOB Management Console

112
Intel Confidential 112  Once the OOB Management Console opens, you will see  System: Connected/Busy  Serial connection: Inactive Note: SCCM SP2 no longer automatically connects a serial connection. Instead, the serial connection is left inactive until you select Tools > Open Serial-over-LAN Connection. You will see a warning indicating that if this device is connected wirelessly, the connection may be disconnected during the SoL session.  In this screen, you can view  Power  IP Address  Host Name  Domain Suffix  System ID (UUID)  Date of last refresh  Time of last refresh OOB Management Console – System Status

113
Intel Confidential 113  In this screen, you can view all of the System Hardware Inventory stored in the Intel ® ME firmware OOB Management Console – System Information

114
Intel Confidential 114  In this screen, you can perform all of the OOB power function capabilities  Power ON  Power OFF  Restart Computer  IDER to ISO  Boot to BIOS Bypass BIOS Password Lock remote keyboard Take a few minutes to perform a few power option features:  Power on/off the Desktop  Redirect BIOS to see system BIOS in Serial Connection Window  Perform IDER to a local ISO (this will be covered in depth in our “real world” Use Case section) Note: Remember to start a Serial-over- LAN session before redirecting to an ISO or BIOS so you can view/control the session in the serial connection tab. OOB Management Console – Power Control Note: When you select to power cycle a vPro system, you will be warned that this action can cause data loss on the system if they system has opened applications and unsaved data (this is not a graceful shut down)

117
Intel Confidential 117  In this screen, you can view the System Audit log and can Export this information to a file OOB Management Console – System Audit Log

118
Intel Confidential 118  In this screen, you can view and control the Serial Connection of the remote screen (e.g. Bios or DOS based ISO image) OOB Management Console – Serial Connection

119
Intel Confidential 119  In this screen, you can enter information into the 3 rd Party Data Store (3PDS) and save this information for later viewing  Type any random data in the window and select save Note: Intel has provided Powershell scripts that can be used to push/pull data down to this 3PDS from a central location (e.g. Site Server). This would allow you to push data remotely (e.g. asset tag and location information) and access this data through the OOB console. For more information on these scripts: Real World Use Case #4 Powershell Scripts for 3PDS OOB Management Console – Data Storage

120
Intel Confidential 120  On your ConfigMgr 2007 SP2 server, open Internet Explorer  Type https://.vprodemo.com:  If the system is successfully provisioned with a TLS certificate, you will see the Intel AMT WebUI interface.  Click Log On  In the login Window, use the Account setup in the OOB Componet  User name: vprodemo\ITproadmin  Password:  If you successfully authenticate to Intel AMT, you will see the WebUI to manage Intel AMT  System Status  Hardware Information  Event Log  Remote Control  Power Policies  Network Settings  User Accounts Note: Accessing the WebUI and successfully logging in confirms both your Kerberos authentication is successful and your TLS certificate is functioning properly. This is a good testing steps to ensure the system was successfully provisioned by SCCM. Use Internet Explorer* to manage Intel ® AMT

121
Intel Confidential 121 Lab Module 4 Review The Out of Band Management Console is the ConfigMgr 2007 SP2 interface to perform Out of Band Management Features –Power Up/Down –Restart –Boot to BIOS –Redirect to an ISO –Hardware Inventory –System Information You can also perform Power Up/Down and Management Controller reprovisioning/delete from within ConfigMgr 2007 SP2 directly Use the Web Interface in IE to manage Intel® AMT Systems

123
Intel Confidential 123 Real World Use Cases The following “Real World” Use Cases have been developed to help customers with drop-in solutions that will enable them to gain immediate value with Intel ® vPro™ and SCCM within a production environment –Wake On Advertisements –Remote KVM –Remote Drive Share –Powershell Scripts for 3PDS

125
Intel Confidential 125 Using Intel ® AMT Power Options to wake up a system with a SCCM Advertisement When creating software distribution in ConfigMgr 2007 SP2, you can leverage Intel AMT power options to wake up system (e.g. after hour patching scenarios). Make sure your vPro Client is Powered Off for the next exercise.

126
Intel Confidential 126  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Operating System Deployment > Task Sequences  Right click on Task Sequences, select New > Task Sequence  In the New Task Wizard window, select Create a New custom task sequence  Click Next Create a Task Sequence to be used in an Advertisement

127
Intel Confidential 127  In Task Sequence Information, Enter in Task Sequence Name: Just Shutdown and add appropriate Comments  Click Next  Confirm information in the Summary and click Next  Once the Wizard completes, click Close Create a Task Sequence to be used in an Advertisement

128
Intel Confidential 128  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Operating System Deployment > Task Sequences  Right click on Just Shutdown Task Sequences (created in previous step), select Edit  In the Just Shutdown Task Sequence Editor, click Add > General > Run Command Line  In the Name Field, type Shut Down  In the Command Line window, type shutdown –s –f  Click OK Edit Task Sequence to be used in an Advertisement

129
Intel Confidential 129  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems  Right click on All Systems, select Advertise Task Sequence  In the New Advertisement Wizard, enter Shut Down Client in the name field  In the Task Sequence Field, click Browse  In the Select Task Sequence window, select Just Shutdown Task Sequence  In the Collections Field, Click Browse and select All Systems  Click OK  Click Next Create an Advertisement to use Intel ® AMT power up and run Task Sequence

130
Intel Confidential 130  In the Schedule Screen, Enter an Advertisement start time (leave default)  Under Mandatory Assignments, Click the New button  In the Assignment Schedule window, select Assign Immediately after this event and select as soon as possible in the drop down list  Click OK  Check Enable Wake On LAN box Note: This check box will enable ConfigMgr 2007 SP2 to use Intel AMT secure Power on feature to wake up the system per the settings defined in a previous step: Site Power ControlsSite Power Controls  Select Priority as High  Click Next Create an Advertisement to use Intel ® AMT power up and run Task Sequence

131
Intel Confidential 131  On the Distribution Screen, leave the defaults and click Next  On the Interaction Screen, leave the defaults and click Next  On the Security Screen, leave the defaults and click Next  On the Summary Screen, click Next  On the Wizard Complete, click Next Note: As soon as the advertisement is seen, it will begin powering up the Intel ® vPro™ provisioned system using the Intel AMT power up command and run the Task sequence to shut it back down. Create an Advertisement to use Intel ® AMT power up and run Task Sequence

136
Intel Confidential 136  On the MSSCCM VM image, double click KVMViewSetup.exe to install the KVM Viewer  In the KVMView Setup Wizard, click Next  In the Select Installation Folder window, click Next  In the Confirmation Installation window, click Next  In the Installation Complete window, click Close Note: This installation will install the KVMViewer application in c:\program files\Intel\KVMView  After installation is complete, delete the KVMCerts.PEM file in the KVMView Folder  Recreate a KVMCerts.PEM file by creating a new text file (New Text Document.txt) and renaming it to KVMCerts.PEM (file size will now be 0KB) Install KVM Viewer on SCCM Site Server

137
Intel Confidential 137  Close the ConfigMgr Console in the VM image  Copy the file vpro_client.xml and place into c:\Program Files\Microsoft Configuration Manager\AdminUI\xmlstorage\Exte nsions\Actions\7ba8bf bdb dcf6\ Note: This file will give you the ability to right click on a provisioned vPro KVM system and launch the KVMViewer from within the ConfigMgr Console. Integrating KVM into SCCM Site Server

138
Intel Confidential 138  Open the ConfigMgr Console (short- cut on the desktop)  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Computer Management > Collections > All Systems  Right click on a Provisioned vPro system that is KVM Capable  Select Intel KVM Remote Control > Start Session  The KVMView Console will Launch and will start to automatically recreate the trusted root certificate file (.PEM file) for securing a connection to the device Note: This new right click KVM remote control feature calls the KVMView Console installed previously. Launching Integrated KVM Console

139
Intel Confidential 139  The KVM Console will connect to the KVM system and prompt the user for a User Consent Code (Note 1)  The end user will read the User Consent Code to the Remote KVM administrator so it can be entered into the KVM Console (Note 2)  This will establish a secure KVM session between the KVM Console and the Intel vPro KVM system Note: This User Consent Code is for privacy and security protection but can be disabled for your environment. Authenticating with KVM Console Note 1 Note 2

140
Intel Confidential 140  After you the remote KVM Console is authenticate with the User Consent Code, a full secure KCM session is established  With the KVM Console, restart the remote vPro System  With a KVM session established, you can see the entire boot process Note: You can perform all functions remotely within the OS, similar to using the standard inband agent based remote control functions. Intel vPro KVM extends this reach and allows you to see the system regardless of the OS state (on, off, BSoD, hung, etc). Managing with KVM Console

141
Intel Confidential 141  During the reboot process, select MSDaRT at the Windows Boot Manager  Click Enter Note: This will load a WinPE image from a local partition on the drive that contains Microsoft’s Diagnostic and Recovery Utilities. Intel KVM and MSDaRT

143
Intel Confidential 143  In the System Recovery Options window, click Microsoft Diagnostic and Recovery Toolset  This will bring up the MSDaRT Tools to allow you to remote troubleshoot the Intel vPro System Note: Depending on the issues experienced with this remote system, many of these tools can be used to diagnosis and repair the remote system without having to make a “deskside” visit. Managing with KVM Console

156
Intel Confidential 156 SendSched Utility to start provisioning In order to start the Inband agent based provisioning immediately, you can use the sendsched utility to initiate the process from the vPro Client This is the Windows Management Instrumentation Tester Open a command prompt and type wbemtest After the Windows Management Instrumentation Tester Utility Opens, click Connect In the Namespace of the Connect Window, type the remote system name you want to force the check followed by \root\ccm (requires admin rights on the remote system) Click Connect –You can also simply run the command on the local system by simply leaving out the host name –Example: \root\ccm After you successfully connect to the target system, click the Execute Method Button In the Get Object Path window, type sms_client in the Object Path field Click OK In the Execute Method Window, enter TriggerSchedule in the Method Field Click the Edit In Parameters Button In the Object editor for _PARAMETERS window, Double Click the sScheduleID in the Properties field In the Property Editor Window, change the Value to Not NULL and add the following { } This value is the Object ID to initiate this OOB auto-provisioning check Click the Save Property button In the Object editor for _Parameters window, click the Save Object button In the Execute Method window, click the Execute Button After you Execute the method, you should see a message that the Method was executed successfully To confirm that your method was executed, look at the target systems c:\windows\system32\CCM\Logs\oobmgt.log You should now see a new entry in the log GetProvisioningSetting indicating that the policy has been re-evaluated agent-to-check-for-its-amt-auto-provisioning-policy;jsessionid=EFD16EF6C2DB47CFED050A242B7AFE5F.node5COMS Click Here to return Click Here to return

159
Intel Confidential 159  If you do not see your system automatically provision in ConfigMgr 2007 SP2, look in the c:\windows\system32\CCM\Logs  (on Vista 64bit OS, the logs folder is located under c:\windows\SysWOW64\CCM\Log s)  OOBMGMT.log  If you see the log stating Auto Provision Policy Disabled, perform the following steps.  MORE TO BE ADDED If you see the OOBMGMT.log showing autoprovisioning policy disabled, this indicates the agent has not found a collection that has enabled automatic provisioning. Troubleshooting ConfigMgr 2007 SP2 Agent Auto-provisioning policy

163
Intel Confidential 163 SCCM Out of Band Provisioning 1.Admin imports provisioning data for Client being provisioned into ConfigMgr 2007 SP1 2.vPro Client sends PKI hello packet to provisioning server (defined firmware schedule) 3.OOB Service Point secures connection with AMT client through Embedded AMT Self Signed Certificate and Present Provisioning Certificate for initial Authentication 4.OOB Service Point sets Remote Admin and MEBx password (if not changed) 5.OOB Service Point requests a web server certificate on behalf of the AMT client 6.OOB Service Point created an Object in AD for the vPro Client 7.OOB Service Point pushes web server certificate to AMT client 8.OOB Service Point pushes ACL, power schema, and other configuration data to AMT to finalize provision

164
Intel Confidential 164 REMOVED SLIDES

165
Intel Confidential Additions to Intel® vPro™ Technology Expanded Manageability Uninterrupted keyboard, video & mouse control Local wake capability to ensure local management tasks are executed Cross Client Consistency Same security and manageability features for both desktop and notebook DASH 1.1 and full IPv6 support Enhanced Security Manageable data protection with integration of drive encryption solutions Asset & data protection with anti-theft features and services Energy Efficient Performance New micro-architecture and partitioning to support better application performance with continued energy savings Lower TCO with more efficient, more secure, more manageable platforms

166
Intel Confidential 166  After a few minutes, provisioning will automatically complete and you can update your collection membership  Right Click Collections and select Update Collection Membership  Click Yes to confirm that you want to proceed  Right click on All Systems collection and select Refresh  The client will now appear in All Systems Collection Provisioned and no longer be listed in the Unprovisioned vPro Clients collection Note: You can track the provisioning progress under C:\Program Files\Microsoft Configuration Manger\Logs\Amtopmgr.log This process length depends on the time it takes for ConfigMgr 2007 SP2 Agent to check in with the Server and pull down its policies. Provision AMT via In- Band ConfigMgr 2007 SP2 Client Agent Congratulations! You have just successfully completed InBand provisioning in ConfigMgr 2007 SP2 and enabled Intel ® vPro™ systems to be manageable out of band by ConfigMgr 2007 SP2 console. Removed Slide and used for Reference / Backup

168
Intel Confidential 168  After the Agent has pulled down the machine policies from the ConfigMgr 2007 SP2 server, you will see more Actions listed in the Actions tab of the Configuration Manager Monitor Policies being applied to ConfigMgr 2007 SP2 Client Removed Slide and used for Reference / Backup

169
Intel Confidential 169  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Primary Site > Site Settings > Discovery Methods  Double Click on Active Directory System Discovery Note: With the collection defined, you can use any of the discover methods that ConfigMgr 2007 SP2 provides (AD System Group, AD Security Group, AD System, AD User, Heartbeat, or Network) to discover the client. If you decide to use Network discovery (refer back to steps on required configuration)refer back to steps on required configuration Note: For more information about network discovery and how to schedule it to run, see About Network Discovery and How to Schedule Network Discovery.About Network Discovery How to Schedule Network Discovery Discover Systems with ConfigMgr 2007 SP2 Discovery Removed Slide and used for Reference / Backup

171
Intel Confidential 171  On the Polling Schedule, check the box to Run discovery as soon as possible  Click Apply  Click OK Note: This will initiate a discovery of all the systems listed in the computer OU in the Active Directory. Initiate the Polling Schedule for Discovery Removed Slide and used for Reference / Backup

172
Intel Confidential 172  After you run the discover method  Right Click All Systems and select Update Collection Membership  Click OK to confirm that you want to proceed  Right click on All Systems and select Refresh (f5)  The client will now appear in the All Systems and Unprovisioned vPro Cleints Collection Note: It may take a couple minutes for the system to show up. You may continue to click Refresh All Systems Collection until you see the client in the collection. The Intel ® AMT status of the device will be in a unknown state. Ensure the firewalls on the virtual images, host OS running the virtual images, and the vPro system are not enabled. The Windows Client firewall can inhibit communications. Update Collection to see Discovered System Update Images Removed Slide and used for Reference / Backup

173
Intel Confidential 173  After the client is populated in the All Systems Collection, check to see if any of the systems are Intel ® vPro™ capable  Right Click on the newly discovered system > Out of Band Management > Discover Management Controllers  Click OK Note: This will scan the system and validate which clients are Intel vPro capable and ready to be provisioned. You can also scan an entire collection for AMT systems. Note: You can monitor the discovery process by watching the amtopmgr.log located in C:\Program Files\Microsoft Configuration Manger\Logs (you will find a short cut to this log on the SCCM Virtual Image desktop) Use Out of Band Management to Discover Management Controllers Update Images Removed Slide and used for Reference / Backup

174
Intel Confidential 174  After a few minutes, depending on the size of your collection, you can update your collection membership  Right click Collections and select Update Collection Membership  Click Yes to confirm that you want to proceed  After one minute, right click on Collections and select Refresh  The client will now appear in Unprovisioned vPro Clients Collection and listed as Not Provisioned and when the ConfigMgr 2007 SP2 Agent checks in for its policies, this collection will start the automatic provisioning process. Note: If you look back at the All Systems collection, you will now see the system as listed as Not Provisioned. You will also see the version of Intel ® AMT listed. If you do not see your system in the Unprovisioned Collection, the collection query or discovery method failed (refer back to previous steps). Update Collection membership to see Intel ® vPro™ system Not Provisioned Note: If the system is listed as Detected, remove client from ConfigMgr, boot client into the Intel MEBX and SMB provision, unprovision, repeat AD Discovery (p.96-97), and repeat Discover Management Controllers (p.98-99) Removed Slide and used for Reference / Backup

175
Intel Confidential 175 Lab Module 3 Review Installed ConfigMgr 2007 SP2 Client Agent on local system Initiated Action on the ConfigMgr 2007 SP2 Client Agent to check in with the ConfigMgr 2007 SP2 server to receive its policies Validated Policies were being applied to the ConfigMgr 2007 SP2 Client through associated logs Updated the ConfigMgr 2007 SP2 Collection Membership and found that Intel ® vPro™ system was successfully provisioned using ConfigMgr 2007 SP2 Inband agent. Removed Slide and used for Reference / Backup

176
Intel Confidential 176  In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > PRO – vPro Demo Site > Site Settings > Discovery Methods  In the right hand window, Right-click Network Discovery, and click Properties  On the General tab, select Enable Network Discovery and Select Topology radio button  Select Enable discovery of out of band management controllers  Click OK Note: This will allow ConfigMgr 2007 SP2 to detect if a system is Intel ® AMT capable. Configure Network Discovery for Management Controllers Removed Slide and used for Reference / Backup